We have an obligation to ensure compliance with the terms of the General Data Protection Regulations and the Data Protection 2018.

What is personal or special category data?

Personal data is information about an identifiable living person such as name, address, telephone number, date of birth, NHS Number, and information about that person held in records. Records can be in different formats e.g. written correspondence, emails, photographs, audio recordings and video recordings.

Why we collect and store personal data?

We process personal data to enable us to provide healthcare services for patients, data matching under the national fraud initiative; research; supporting and managing our employees, maintaining our accounts and records and the use of CCTV systems for crime prevention.

The Trust has a duty to:

Process data lawfully, fairly and in an open manner

Only use data for a specific defined purpose

Only gather and record data that is relevant and limited to the defined purpose

Take every reasonable step to ensure data is kept accurately

Only hold data in an identifiable form for the minimum period necessary

Hold data securely and prevent any unlawful processing

How will we use information about you?

The Types of Information that we may collect and use include the following:

personal details

family details

education, training and employment details

financial details

goods and services

lifestyle and social circumstances

visual images, personal appearance and behaviour,

details held in the patients record

responses to surveys

What is the Legal Basis for processing data?

Under the terms of the General Data Protection Regulations, we are required to notify you of the legal basis for processing the data we handle.

Healthcare

Personal data provided to the Trust for the purpose of healthcare delivery, management and treatment:

6(1)(e)Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Special Category Personal Data provided to the Trust for the purpose of healthcare delivery, management and treatment:

9(2)(h) Necessary for the reasons of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional

To manage our contractual obligations for the services we have been commissioned to deliver:

Ensure that money is used properly to pay for the services it provides

Investigate complaints, legal claims or important incidents

Make sure that services offered give value for money

Make sure services are planned to meet patients’ needs in the future

Review the care given to make sure it is of the highest possible standard

To improve the efficiency of healthcare services

Staff Data

If we are your employer we process your data to enable us to undertake our responsibilities under law.

Personal data provided by staff members for the purpose of employment:

6(1)(f) Necessary for the purposes of legitimate interests

Special category data provided by staff members for the purpose of employment:

This data is required to manage the operation of the organisation and to ensure compliance with the terms and conditions outlined in your contract, as part of your employment.

9(2)(b) necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement;

National Fraud Initiative:

The Trust has a duty to protect the public funds it administers and as such participates in the National Fraud Initiative. This is an electronic data matching exercise conducted by the Cabinet Office, carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of employees.

6(1)(e)Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Special category data gathered by the Trust in relation to employee health is processed for the reasons of preventative or occupational medicine and for assessment of working capacity.

Special Category Personal Data provided to the Trust for the purpose of healthcare delivery, management and treatment:

9(2)(h) Necessary for the reasons of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional

Student Data

Student Information Privacy Notice

The Trust is the Data Controller for your personal information and is subject to the General Data Protection Regulation (GDPR).

The Trust works with partner academic organisations to support and mentor students and apprentices during their placements. Student and apprentice information is processed in accordance with the individual learning agreements in place with the academic institution.

This privacy notice explains how the Trust uses and shares your personal data and outlines your rights in relation to the personal data we hold.

What information are you collecting?

The Trust may obtain, hold and process data of applicants and students including personal data and special category data.

Personal data and special category data held by the Trust relating to students is obtained directly from the student or applicant.

Why are you collecting my data?

The Trust holds the personal data and special category data of its applicants and students to facilitate support and mentoring of individuals and to ensure compliance with the terms and conditions outlined via contract or learning agreement.

Only information required for these purposes is obtained and processed for operational purposes, and without it the Trust may not be able to provide its services to you or meet its statutory obligations.

Personal data provided by students for the purpose of employment:

6(1)(e) whereby processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller (Northamptonshire Healthcare).

Special Category Personal Data provided to the Trust for the purpose of healthcare delivery, management and treatment:

9(2)(b) necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement;

Additional Information on the e-leaning toolkits used and their Privacy Polices can be accessed via links below.

As Members or Involvees of the trust you will likely receive information that may be of interest as a patient, carer or member of the community that we serve. In common with all other NHS foundation trusts we have a statutory duty to engage with our communities and encourage new Members and Involvees of the Trust.

Personal data provided by Members or Involvees for the purpose of engaging with communities:

6(1)(e) whereby processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller (Northamptonshire Healthcare).

Equality and Diversity Data

As a Trust we have a duty to eliminate unlawful discrimination, harassment or victimisation, to advance equality of opportunity and to foster good relations. All public bodies must treat people from different groups fairly and equally. Data on equality and diversity is captured in accordance with the Equality Act 2010.

Special Category Personal Data provided to the Trust for the purpose of compliance with Equality legislation :

9(2)(b) necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement.

Mental Health Act Data

Most people who receive treatment in hospitals or psychiatric units for mental health conditions are there voluntarily and have the same rights as people receiving treatment for physical illnesses. However, a small number of patients may need to be compulsorily detained under a section of the Mental Health Act 1983.

Special Category Personal Data provided to the Trust for the purpose of healthcare delivery, management and treatment:

9(2)(b) necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement.

9(2)(c) Necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent

9(2)(h) Necessary for the reasons of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional

Use of Photographs

Photographs where an individual can be clearly identified will only be used as part of promotional materials and website where explicit consent has been given by the individual.

Personal data for the purpose of promoting the work of the Trust:

6(1)(a)Consent of the data subject

Recovery College

Recovery College NHFT supports individuals with experience of mental health difficulties to live the life they want to lead and become experts in their own self-care. The college supports individuals through courses designed to contribute towards wellbeing.

Data captured during enrolment is required to manage this service and to provide you details of available courses and resources.

Personal data provided by individuals for the purpose of enrolment:

6(1)(e)Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Special Category Personal Data provided to the Trust for the purpose of healthcare delivery, management and treatment:

9(2)(b) necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement;

Research

Data is gathered for research with the same controls as for the collection and processing of data for healthcare purposes. Consent will be sought for participation in research trials under the common law duty of confidentiality.

Personal data provided by individuals for the purpose of research:

6(1)(e)Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Special Category Personal Data provided to the Trust for the purpose of healthcare delivery, management and treatment:

9(2)(h) Necessary for the reasons of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional

Data sharing with partner organisations

We hold a list of the information sharing agreements we currently have in place with our partner organisations. As part of the Northamptonshire Health and Care partnership we work with other health and public sector organisations for the delivery of services.

Other ways your data may be shared

National Surveys

Your personal data may be used for the purposes of the NHS Patient Survey Programme, and this may include passing data to a CQC approved contractor. The anonymised reports produced by the survey programmes are used to help make service improvements.

The processing basis for the Trust to use your information for the NHS Patient Survey Programme is set out in Article 6(1)(e) of the General Data Protection Regulations which allows data to be processed where the “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.

Safeguarding

There is a Duty of Care to report safeguarding concerns to partner organisations to support an individual’s welfare. There is useful information on the Trust’s Safeguarding Page on the importance of safeguarding for Adults and Children and how staff are supported to act in the best interests of the individual.

We are committed to supporting the health and wellbeing of families. This means to protect you and your child we may need to share information with other agencies such as social services or the police.

Public security

Data may be shared with the Police or other national security agencies where it is necessary and proportionate to support the prevention, investigation and detection of crime.

Tuberculosis

Data may be provided to the Trust by partner agencies to support the management of patients with Tuberculosis or suspected Tuberculosis.

Infection Control

Data may be provided to the Trust by partner agencies to support the management of public health.

Is my data transferred overseas?

Your personal data may be transferred outside of the UK, for example, if the Trust uses a cloud service that has servers in another country. A Data Protection Impact Assessment will have been completed to ensure that data is held securely and within the requirements of the law.

If your data is transferred overseas there will be a contract in place, and a Data Processing Agreement that ensures responsibility for safeguarding data.

Is my data handled using automated decision processes?

The Trust does not currently use automated decision processes this privacy notice will be regularly reviewed and updated as necessary.

How do we store and safeguard your data?

We may introduce new processes or technologies that capture and store personal data e.g. biometric scanners, body worn video cameras etc. The Trust considers privacy at the initial design stages and throughout the complete development process by invoking the Data Protection Impact Assessment and Change Management Processes; thus ensuring the appropriate technical and organisational measures are in place to safeguard individual’s rights and adherence to GDPR/DPA 18.

We keep your information in accordance with timescales set out in the Records Management Code of Practice for Health and Social Care. Personal data that does not have a national retention schedule in the Code of Practice is managed for as long as is necessary to fulfil the purpose of obtaining it or if we are required to keep it by law. A link to this document can be found below:

Across a number of NHFT services a secure computer system is used called SystmOne to hold medical records.

SystmOne is also used in Northamptonshire, by most GPs as well as the out of hours GP service. For those services that use SystmOne, since October 2013 you have been able to decide which NHS services can view your record, with the aim of providing you with control and reassurance regarding how your secure medical records are used.

With your permission, clinicians using SystmOne are able to share your medical record easily and safely with the other healthcare services involved in your care. This will mean that when you attend any service using SystmOne they will be able to view your NHFT medical record so that the clinicians who see you have all the information they need to enable them to provide the best possible health care for you.

Why is this necessary and how does it work?

Patient Led Record Sharing puts YOU in control of your NHFT medical record – you will be asked whether you wish to share your information with other health care services, like your GP and the benefits and any risks of your decision will be fully explained to you.

Sharing your medical record will improve communication about your care between healthcare professionals – it is important that you give your consent to this sharing, to ensure that your clinicians have all the information they require to offer you the best possible care.

Patient led record sharing enables high quality, joined up care across the different NHS services.

This sharing was designed to align SystmOne with the NHS care record guarantee. This guarantee states that patients should be able to control which services, (that are caring for them) are able to see information held on their record.

All staff members are trained in confidentiality and information governance. If you decide to share your record you can be sure that healthcare professionals will always treat your health record with the greatest care and discretion.

Will all my medical record be shared?

If you do not wish another service to see particular items in your medical record, please discuss this with your GP or healthcare professional. You can request for individual entries in your patient record to be marked as ‘Private’. These will not be visible at any NHS care service other than the one that recorded the information.

Can I opt out of processing?

If you wish to opt out of sharing your information with other healthcare settings please discuss with your healthcare team at your next appointment. They can discuss with you the impact to your individual health care.

If you wish to opt out of having your information used for the purpose of national surveys detailed in the section of the privacy notice called “Other ways data may be shared”, please complete the form below:

How do I make a request for Information or make a complaint?

If you wish to ask the Trust about a data protection issue, request information on data we process, request a copy of your data, make a request for data to be erased, rectified or you have concerns about the processing of your personal data by us you may contact our Information Governance Team at:

Care will not be adversely affected by any comments or complaints you make.

If you are not content with the outcome of your complaint, you may apply directly to the Information Commissioner for a decision. Generally, the Information Commissioner cannot make a decision unless you have exhausted the complaints procedure provided by the Trust. The Information Commissioner can be contacted at:

The Information Commissioner's Office

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

How do I make a request for information relating to someone who has died?

Access to the health records of deceased patients is covered by The Access to Health Records Act AHRA) 1990

The Act provides certain individuals with a right of access to the health records of a deceased individual. These individuals are defined under Section 3(1)(f) of that Act as, ‘the patient’s personal representative and any person who may have a claim arising out of the patient’s death’. A personal representative is the executor or administrator of the deceased person’s estate.

There is no statutory right of access to records of deceased patients which fall outside of the time period covered by the Act and Northamptonshire Healthcare NHS Foundation Trust is unable to process requests for records of Deceased Patients where the date of death is prior to 1st November 1991.

The Trust will consider requests for access where a patient has died after 1st November 1991; these requests will be considered on a case by case basis.

Is this Privacy Notice regularly reviewed?

Conditions of use of this site

Use of this site

Northamptonshire Healthcare NHS Foundation Trust provides this website for personal use. In using this website, the user agrees to use this site for lawful purposes only and in a manner that does not infringe the rights, or restrict or inhibit the use of this site by any third party.

Information collected through this website is for the sole use of Northamptonshire Healthcare NHS Foundation Trust.

Northamptonshire Healthcare NHS Foundation Trust cannot guarantee uninterrupted access to this website or the sites to which it links, and accepts no responsibility for any damages arising from the loss of use of this information.

Disclaimer

This website is intended simply to provide helpful advice and information about Northamptonshire Healthcare NHS Foundation Trust and the services we provide.

The Trust has taken every care in the preparation of the content of this website. Northamptonshire Healthcare NHS Foundation Trust is not liable for any loss or damage arising from the use of this site or the information contained in it.

Northamptonshire Healthcare NHS Foundation Trust is not responsible for the availability of access to and links from this site, or for the content on linked sites. The Trust is not responsible for any transmission received from any linked site. Links are provided solely to assist visitors to Northamptonshire Healthcare NHS Foundation Trust’s website and the inclusion of a link does not imply that the Trust endorses or has approved the linked site. Equally, the lack of a link does not imply lack of endorsement.

Copyright

The names and logos identifying Northamptonshire Healthcare NHS Foundation Trust are proprietary marks of the NHS. Copying our logos and any other third party logo via this website is not permitted without approval of the relevant copyright owner.

Re-use of information

You may re-use the information on this website free of charge in any format. Re-use includes copying, issuing copies to the public, publishing, broadcasting and translating into other languages. It also covers non-commercial research and study. Re-use is subject to the following conditions:

Use of material should include an acknowledgement of the source

Reproduction of material should be accurate and should not mislead

Information should not be used for the principal purpose of advertising or promoting a particular product or service or for commercial gain.